> ## Documentation Index
> Fetch the complete documentation index at: https://docs.iru.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create a PPPC Library Item

> Create a new PPPC profile in Iru Endpoint to pre-approve app access to camera, microphone, screen recording, and other macOS privacy-protected resources.

<Callout icon="apple" color="#B84A7A" iconType="regular">This Library Item is available for Mac computers</Callout>

### What is PPPC?

Privacy Preferences Policy Control (PPPC) in macOS helps administrators manage app permissions and protect user data. Using a PPPC profile, you can pre-approve apps' access to system services like the camera, microphone, and file systems, eliminating the need for manual user approval and simplifying your deployment process.

### How PPPC and TCC Controls Work

<Warning>
  Due to Apple's privacy requirements, Camera, Microphone, and Screen Recording access will always require user interaction to approve.
</Warning>

Apple's PPPC payload allows you to configure Transparency, Consent, and Control (TCC) settings, which are crucial for safeguarding user information. PPPC profiles let you pre-approve or deny app access to system services like the camera, microphone, and file systems. You create these profiles using XML files that specify each app's permissions, bundle IDs, and code requirements. Once created, you deploy these profiles via MDM to apply the settings to enrolled macOS devices.

For more information about PPPC payloads and their capabilities, see [Apple's Privacy Preferences Policy Control documentation](https://support.apple.com/en-gb/guide/deployment/dep38df53c2a/web).

### Considerations

Once you've configured permissions through a PPPC profile, they're managed by the system and won't show up in System Settings. Users can't change these settings on their own, and there's no way to bypass macOS's PPPC protections.

### Determining Which Apps Need a Privacy Profile

To determine if your app needs additional privacy permissions, follow these steps:

<Steps>
  <Step title="Install and launch the app">
    Install your app on a test device or a macOS virtual machine. Launch the app and pay attention to any UI dialogues that appear, such as those requesting access to accessibility features or the Downloads folder.
  </Step>

  <Step title="Open System Settings">
    Navigate to System Settings and click on **Privacy & Security**.
  </Step>

  <Step title="Check app permissions">
    Select an option on the right-hand side, like **Accessibility**. If your app is listed here, it indicates that the app requires this PPPC permission.
  </Step>

  <Step title="Get the app path">
    Right-click on the app listed and select **Show in Finder**. Finder will launch with the app in question selected. You can drag and drop the application into Terminal to get its full path, which will be used in the next step.
  </Step>
</Steps>

### Determine the Identifier and Code Requirement

To create a PPPC profile, you need to know the application's code requirement and identifier. This information can easily be collected using Terminal on a Mac with the application installed.

<Steps>
  <Step title="Launch Terminal">
    Launch Terminal on a macOS device on which the application is installed.
  </Step>

  <Step title="Run codesign command">
    Run the following command, replacing `/Applications/zoom.us.app` with the path to your application:

    ```bash theme={null}
    codesign -dr - "/Applications/zoom.us.app"
    ```
  </Step>

  <Step title="Copy the code requirement and identifier">
    When the output results appear, copy all text after the **=>** characters; do not copy any trailing or leading spaces. This output is the **Code Requirement**. The portion between the quotes, e.g. "us.zoom.xos", is the **Identifier**.
  </Step>
</Steps>

### Configuring a Privacy Profile using Iru

<Note>
  Privacy settings deployed via MDM will not appear in the graphical user interface in System Settings.
</Note>

With your application information collected, you can create a Privacy profile in the Iru Web App.

<Steps>
  <Step title="Create the Library Item">
    Follow the steps in [Managing Library](/en/endpoint/getting-started/blueprints-and-library/managing-library) to create a Privacy Library Item.
  </Step>

  <Step title="Select Blueprints">
    Select your desired Blueprints.
  </Step>

  <Step title="Set identifier type">
    If your output includes an identifier in the first part of the code requirement, leave the Identifier type set to **Bundle ID**; otherwise, select **Path**.
  </Step>

  <Step title="Enter identifier or path">
    Paste in the **identifier** found in the first part of the code requirement. If you selected **Path** above, input the path for the profile.
  </Step>

  <Step title="Paste code requirement">
    Paste in the full code requirement that you copied from Terminal. Ensure that there are no leading or trailing spaces in the code requirement; unnecessary characters can prevent the profile from deploying.
  </Step>

  <Step title="Validate code requirement (optional)">
    Optionally, check the **Statically validate the code requirement** box. This option is used only if the process invalidates its dynamic code signature.
  </Step>

  <Step title="Select app or service">
    Select an option from the **App or Service** dropdown. This selection depends on the application's requirements. For more information, refer to the Determine Which Apps Need a Privacy Profile section of this guide.
  </Step>

  <Step title="Add additional apps (optional)">
    If needed, you can add additional app access to a PPPC profile by clicking **Add app access**.
  </Step>

  <Step title="Save the profile">
    Click **Save** in the bottom right corner.
  </Step>
</Steps>

### Verifying Your PPPC Profile

To verify that your PPPC profile is working correctly:

<Steps>
  <Step title="Open System Information">
    Open **System Information** on the target Mac computer.
  </Step>

  <Step title="Select Profiles">
    Select **Profiles** from the left-hand column.
  </Step>

  <Step title="Locate PPPC profile">
    Locate your profile containing the PPPC payload.
  </Step>

  <Step title="Expand profile details">
    Click the disclosure triangle next to the profile name.
  </Step>

  <Step title="Verify TCC policy">
    Look for the `com.apple.TCC.configuration-profile-policy` entry. This confirms that the profile is actively managing TCC permissions on the device.
  </Step>
</Steps>

### Troubleshooting

<AccordionGroup>
  <Accordion title="Applications Still Prompting for Permissions">
    <Steps>
      <Step title="Verify code requirement">
        Double-check that the code requirement was copied correctly with no leading or trailing spaces. Re-run the `codesign -dr -` command to verify the code requirement matches what's in your profile.
      </Step>

      <Step title="Check identifier type">
        Verify you selected the correct identifier type (Bundle ID or Path) and that the identifier matches exactly what was returned from the codesign command.
      </Step>

      <Step title="Verify application approval">
        Confirm the application is included in the approved applications list in your PPPC profile.
      </Step>

      <Step title="Check service permissions">
        Verify the correct service permissions are configured for the application. For example, if an app needs screen recording access, ensure "Screen Recording" is selected in the App or Service dropdown.
      </Step>

      <Step title="Use TCC log stream">
        If you're still seeing permission prompts, use this command in Terminal to identify which app or binary is requesting access:

        ```bash theme={null}
        log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'
        ```

        This shows real-time TCC permission requests and can help identify the exact app or binary that needs to be added to your PPPC profile.
      </Step>
    </Steps>
  </Accordion>

  <Accordion title="System Settings Shows Grayed Out Permissions">
    <Steps>
      <Step title="Test application functionality">
        In System Settings > Privacy & Security, sliders for certain permissions may appear grayed out even when the app has the necessary permissions. This is a visual quirk and doesn't necessarily indicate a problem. Test the application's functionality to confirm it's working properly.
      </Step>

      <Step title="Verify profile is active">
        Confirm the PPPC profile is installed and active on the device by checking System Information > Profiles.
      </Step>
    </Steps>
  </Accordion>

  <Accordion title="Code Requirement Issues">
    <Steps>
      <Step title="Verify code requirement format">
        Ensure the code requirement doesn't have any leading or trailing spaces. Even a single space can prevent the profile from working correctly.
      </Step>

      <Step title="Re-verify code requirement">
        If an app was updated, the code requirement may have changed. Re-run the codesign command to get the updated code requirement and update your PPPC profile accordingly.
      </Step>

      <Step title="Check static validation">
        If you're using the "Statically validate the code requirement" option, ensure it's only enabled when the process invalidates its dynamic code signature. Most apps don't need this option enabled.
      </Step>
    </Steps>
  </Accordion>
</AccordionGroup>
